Protecting Critical Infrastructures – Risk and Crisis Management
Protecting Critical Infrastructures –
Risk and Crisis Management
A guide for companies and government authorities
Our society’s existence depends on securing the supply of a wide variety of products, services and func-
tions. Protecting vital institutions is therefore a key responsibility of state security. The threat of inter-
national terrorism and the increasing number of natural disasters pose a growing challenge for the
protection of such critical infrastructures. And information technology, which has pervaded all areas
of life and economic activity, brings new vulnerabilities. Because most of the infrastructures which are
critical for our society are privately operated, in Germany the government and the private sector work
hand in hand to ensure effective protection for these systems and facilities. The security authorities
assist the private companies with advising and networking as well as specific recommendations for
action. And the private sector contributes its expertise and practical experience to this partnership.
This guide to risk and crisis management is one product of such cooperation. The guide is addressed to
operators of critical infrastructures and is intended to help them create and expand their own systems
of risk and crisis management. Drawing on the general recommendations in the Baseline Security
Strategy for the Protection of Critical Infrastructures (Federal Ministry of the Interior, 2005), this guide
offers methods for implementing risk and crisis management and practical tools in the form of exam-
ples and checklists. When developing this guide, the Federal Ministry of the Interior, the Federal Office
of Civil Protection and Disaster Assistance and the Federal Office for Information Security received
assistance from experts with practical experience in the private sector. The Federal Ministry of the Inte-
rior would therefore like to thank the following for their help throughout the entire process:
the employers’ liability insurance association for banks, insurance companies, administrations,
liberal professions and special companies, Mr Bernd Marquardt and Mr Hans-Jürgen Penz;
Commerzbank AG, Mr Heinz-Peter Geil;
the Forschungszentrum Jülich GmbH, Ms Sonja Altstetter;
Fraport AG, Mr Friedhelm Jungbluth and Mr Jens Sanner;
Gelsenwasser AG, Mr Uwe Marquardt;
Infraprotect GmbH, Mr Wolfgang Czerni;
Trauboth Risk Management GmbH, Mr Frank Tesch;
VERISMO GmbH, Dr Klaus Bockslaff;
and their employees.
The following partners also deserve thanks for contributing advice and suggestions: EnBW Regional
AG, the German Insurance Association (reg’d. society) and the Arbeitsgemeinschaft für Sicherheit der
Wirtschaft e. V. Following the CIP Implementation Plan adopted by the Federal Cabinet in summer
2007 as part of the National Plan for Information Infrastructure Protection, this guide to risk and crisis
management is a further contribution by the Federal Ministry of the Interior to strengthen the protec-
tion of critical infrastructures. At the same time, it underscores the importance of constructive coopera-
tion between government and the private sector in this key area of internal security.
Berlin, January 2008
in der Helmholtz-Gemeinschaft
Table of Contents
1. Introduction 9
2. Basic information about critical infrastructures 10
2.1 Sectors 10
2.2 Critical infrastructures: Framework conditions and characteristics 10
2.2.1 Changes in the threat situation 10
2.2.2 Socio-economic framework conditions 11
2.2.3 Special characteristics of critical infrastructures 11
2.3 Legal requirements concerning risk and crisis management 12
3. Risk and crisis management to protect
critical infrastructures 14
3.1 Phase 1: Preliminary planning 15
3.1.1 Establishing risk and crisis management 15
3.1.2 Division of responsibilities 15
3.1.3 Resources 15
3.1.4 Clarifying legal obligations 15
3.1.5 Strategic protection aims 15
3.1.6 Risk communications 16
3.2 Phase 2: Risk analysis 16
3.2.1 Criticality analysis 17
3.2.2 Risk identification 18
22.214.171.124 Threat analysis and scenario development 18
126.96.36.199 Vulnerability analysis 19
188.8.131.52 Risk calculation 20
184.108.40.206 Comparing and evaluating risks 20
3.3 Phase 3: Preventive measures and strategies 21
3.3.1 Risk reduction 21
3.3.2 Risk avoidance 21
3.3.3 Risk shifting 22
3.3.4 Acceptance of risks (residual risks) 22
3.3.5 Property insurers’ experience with damages 22
3.4 Phase 4: Crisis management 22
3.4.1 The structure of crisis management 24
220.127.116.11 The crisis management plan 24
18.104.22.168 Special crisis structures 25
22.214.171.124.1 Crisis task force 25
126.96.36.199.2 Crisis task force leadership 26
188.8.131.52.3 Crisis task force team 26
184.108.40.206.4 Expert advisers in the task force 26
220.127.116.11 Procedures 26
18.104.22.168.1 Reporting channels and alerts 26
22.214.171.124.2 Crisis communications 29
126.96.36.199 Crisis management centre 30
3.4.2 Crisis management 30
188.8.131.52 Information gathering and review 31
184.108.40.206 Situation assessment, decision-making
and implementation of measures 32
220.127.116.11 Monitoring 32
18.104.22.168 Ensuring continuity of operations 32
22.214.171.124 Return to normal operations 32
126.96.36.199 Documentation of crisis management operations 32
3.4.3 Follow-up 33
3.4.4 Exercises 33
3.5 Phase 5: Evaluating risk and crisis management 34
I. References 36
II. Terminology 38
III. List of threats – Information on types,
exposure, intensity, impacts and points of contact 42
IV. Checklists 45
IV.1 Preventive measures 46
IV.1.1 Risk and crisis management – general 46
IV.1.2 Grounds, buildings, facilities – floods 47
IV.1.3 Grounds, buildings, facilities – earthquakes 48
IV.1.4 Grounds, buildings – storms 49
IV.1.5 Grounds, buildings – wilful criminal and /or terrorist acts 49
IV.1.6 Facilities and equipment – power supply 51
IV.1.7 Facilities and equipment – information technology 53
IV.1.8 Facilities and equipment – communications technology 54
IV.2 Crisis management review 55
IV.2.1 General organization 55
IV.2.2 Staff – general 59
IV.2.3 Crisis management – pandemic planning
(especially influenza pandemic) 60
IV.3 Crisis management 62
IV.3.1 General procedures during crisis 62
IV.3.2 Special emergency procedures 64
IV.4 Follow-up 68
IV.5 Exercises 69
IV.6 Selecting and equipping a crisis management centre 70
V. Risk analysis example 74
V.1 Criticality analysis 74
V.2 Threat analysis and scenario development 75
V.3 Vulnerability analysis 76
V.4 Risk calculation 77
V.5 Risk comparison 80
This guide offers a management strategy to help operators Phase 1 – Planning in the organization
of critical infrastructures, i.e. companies and government Thorough planning creates the necessary conditions for suc-
authorities, identify risks, implement preventive measures cessfully implementing all or part of this guide.
and deal with crises effectively and efficiently. Critical infra-
structures are understood here as organizations and institu- Before implementing the guide, fundamental issues need
tions of central importance for the country and its people to be clarified, including how risk and crisis management is
whose failure or functional impairment would lead to severe anchored in the organization, the definition of responsibili-
supply bottlenecks, significant disruption of public security ties for implementation, availability of resources, clarification
or other dramatic consequences. of legal obligations to establish risk and crisis management,
and the definition of strategic protection aims to be achieved
Recent history has shown that infrastructures can indeed be in the company or government authority.
damaged and that disruption of critical processes can have
far-reaching social and economic impacts. Phase 2 – Risk analysis
A risk analysis provides a structured overview of an organiza-
Serious damage may be caused by tion’s individual processes, possible threats to these processes
and the vulnerability inherent in these processes. Combining
natural events, this information yields a risk analysis for all critical processes
technical failure or human error, in individual scenarios.
intentional acts of a terrorist or other criminal nature
and war. The information on risks can be compared, to provide an
easy-to-understand picture of risks in which risk priorities can
Operators of critical infrastructures need to be aware of these be identified.
causes and prepare for them. This means identifying and
reducing risks as far in advance as possible and preparing for The results of the risk analysis can be evaluated by checking
unavoidable crises as much as possible. Doing so helps ensure them against the strategic protection aims already set. If it is
survival in the event of a crisis, thereby helping companies not possible to achieve most of the strategic protection aims,
add value and comply with legal requirements and helping then concrete measures must be taken to reduce existing
government authorities fulfil their mission of providing vital risks and make it easier to deal with crises.
The strategy for risk and crisis management presented in this
guide consists of five phases: planning to set up a system of
risk and crisis management, describing the basic aspects of
risk analysis, implementing preventive measures, portray-
ing aspects of robust crisis management and evaluating the
system of risk and crisis management in an organization. The
term “organization” refers here to companies or government
authorities which operate critical infrastructures as defined
Phase 3 – Preventive measures and strategies Phase 5 – Evaluation of risk and crisis management
Preventive measures help reduce risks to processes and thus Evaluation covers all phases of risk and crisis management,
to the provision of products and services. They make organi- from the measures identified during planning to checking
zations more crisis-resistant, helping to reduce the number that risk profiles are current and preventive measures and
and intensity of crisis events. Preventive measures are aimed crisis management are effective. Such evaluation should be
at actively protecting components within organizations or undertaken regularly.
Additional evaluations may be necessary
Other possibilities include avoiding, shifting or consciously
accepting risks. Here, one should be aware that risk avoid- after measures are implemented,
ance usually entails a certain lack of flexibility for the com- after the organization is expanded or restructured, and
pany or government authority. Shifting risk does not reduce if the threat situation changes.
physical risks, but only ensures financial compensation,
although this may be significantly less than actual damage The annex to this guide contains an example for carrying out
caused in individual cases. a risk analysis and checklists for measures implemented in
Phase 4 – Crisis management
If a company or government authority experiences serious Contact:
damage despite preventive measures, crisis management Bundesamt für Bevölkerungsschutz und Katastrophenhilfe
should provide for special structures to deal with the situa- Abteilung II
tion. Notfallvorsorge, Kritische Infrastrukturen
Crisis management includes special structures and proce- 53127 Bonn, Germany
dures which differ from those for regular operations. During http://www.bbk.bund.de
a crisis, decision-making authority is centralized in order to
be able to react to situations without delay, containing the
impact of a crisis and reducing the time needed to restore
depend on their unlimited availability.
Infrastructures are an essential part of our highly developed
society. In our daily lives, we all rely on infrastructures and
Since 1997, the federal government has focused on protecting
what are known as critical infrastructures in order to analyse
the need for additional protective measures. Critical infra-
structures are understood as “organizations and institutions
of central importance for the country and its people whose
failure or functional impairment would lead to severe supply
The financial and personnel resources available to opera-
tors to protect their infrastructure systems are limited, so it
is especially important to use these resources efficiently and
effectively. To do so, it is essential to be aware of the threats
and risks and of the possibility to compare and assess risks in
order to set priorities. This then provides the groundwork for
implementing targeted protection measures.
This guide, “Critical Infrastructure Protection: Risk and Crisis
Management” is the product of collaboration among private
bottlenecks, significant disruption of public security or other industry, government authorities and a research institute.
dramatic consequences.”1 The guide applies to all sectors and is intended for companies
and government authorities as a tool for self-analysis.
Their constant availability is threatened by natural events,
technical failure or human error and intentional acts of a ter- It brings together information on the theory behind risk and
rorist or other criminal nature. An armed conflict in Germany crisis management with practical checklists and an exam-
would also result in enormous damage to infrastructures. ple of risk analysis with the aim of enabling companies and
government authorities to set up or expand an effective and
The threat situation has changed constantly over the past efficient system of risk and crisis management on their own
years. There are indications that the threat of natural disas- or with external help.
ters as well as threats posed by terrorist or criminal activity
are on the rise, creating new challenges for society. From the federal perspective, the overarching goal is to
reduce the impact of extreme incidents on critical infrastruc-
Like the threat situation, the vulnerability of infrastructures tures and to be better able to handle anticipated crises.
is also changing. Most infrastructure systems today are linked
in some way. Disruptions in one area can multiply in other
locations, branches or sectors, with an impact that extends far
beyond the original area of damage.
As defined by the Working Group on Infrastructure Protection (AK
KRITIS) at the Federal Ministry of the Interior on 17 November 2003.
2 2.1 Sectors
energy (electricity, oil, natural gas)
water and food supply, health care, emergency
information and communications technology
about critical infrastructures
Critical infrastructures as defined in the Introduction are
mainly found in the following sectors:
2.2.1 Changes in the threat situation
Disruptions to critical processes of infrastructure systems
can have far-reaching social and economic consequences.
Although the following examples do not clearly indicate a
trend towards a more critical threat situation, they do confirm
the need for ongoing protection of critical infrastructures.
Example: Extreme weather
Extreme weather can have a direct impact on infrastructure
hazardous materials (chemical industry and systems. It is still too early to reliably predict changes in
biological substances) extreme weather events in Germany due to global climate
banking and finance change, as there is not yet enough information on atmo-
government authorities, public administration and spheric warming and its effects on Germany. However, some
the judicial system trends, such as an increase in heavy precipitation, have shown
media, major research institutes and cultural assets up in weather data. Flooding on the rivers Oder in 1997 and
Elbe in 2002 and around the Alps in 2005 follows this pattern.2
2.2 Critical infrastructures: Framework Example: Public health threats (influenza pandemic)
conditions and characteristics In the 20th century, there were several major outbreaks of
influenza, including the Spanish flu pandemic in 1918 which
In recent years, disruptions of critical infrastructures have killed more than 50 million people world-wide. Today,
repeatedly been characterized by two features: experts agree that it is only a matter of time until a new and
highly dangerous virus evolves from mutations. An influenza
1. Widespread impact on infrastructures caused in particular pandemic would also spread throughout Germany via the
by natural threats, with regional, national or Europe-wide country’s international transport hubs. The effects would
impacts (e. g. flooding of the River Elbe in 2002, winter storm threaten all areas of life, including the entire private sector
Kyrill in 2007). and government agencies. Not only can a pandemic affect
demand for products and services, it can also threaten the
2. Local disruptions or damage have impacts which in some entire economic and social infrastructure. The availability
cases extend far beyond the original area of damage due to of many resources and services could be limited or cut off
networks and connections across regions and between systems entirely. Due to mutual dependencies, this can lead to a dom-
(e. g. shutdown of a power line across the River Ems in 2006 ino effect shutting down much of the government, economy
which led to blackouts in parts of Europe). and society.3 Models calculated for Germany figure an infec-
tion rate of 15–50 percent.4 In addition to employees who are
In the following, the central elements of changed and chang- unable to work because they are ill, others would stay home
ing framework conditions and characteristics are analysed, to care for sick family members or out of fear of infection,
providing the basis for developing a system of risk and crisis significantly increasing the absentee rate.
management using this guide.
Rahmstorf et al., 2006, p. 70.
Federal Office for Civil Protection and Disaster Assistance, 2007.
Robert Koch Institut 2007b, p. 4.
BASIC INFORMATION ABOUT CRITICAL INFRASTRUCTURES
Example: International terrorism Demographic change
International terrorism is characterized by loosely structured Changes in the age structure of society and migration-related
networks. Individual cells are connected by little more than changes to population density within Germany create new
common aims; they operate largely independent of each demands on critical infrastructures, in some cases with
other and without a central command structure. Such loose ramifications for security. For example, decreasing water
networks are able to act quickly and flexibly without being consumption and the resulting reduced flow of water to end
detected.5 In 2006, attempts to set off bombs on two regional users can create hygiene problems in water supply systems.
trains failed for technical reasons; in 2007, the authorities
were able to prevent planned attacks against a number of US Changed economic framework conditions 7
installations in Germany. Changes in market activity, such as those caused by market
liberalization and privatization of state-owned infrastructure
Example: Information technology operators, can affect the level of security and investment
The news media report almost daily on hacker attacks or in security measures. Competition and the pressure to cut
industrial or economic espionage. Even apart from such costs create conditions in which security precautions such
threats, however, hard- and software failures and simple as back-up systems and other buffers are reduced. Although
human error can lead to significant impacts and damage operators largely comply with regulatory requirements,
to critical infrastructures. One example is the large-scale increasingly precise calculations allow them to take greater
power outages in the US and Canada in 2003 largely due to advantage of room for discretion and to reduce security buff-
problems with one electricity provider’s transmission system. ers, which are then missing especially in crisis situations.
Another example is the collapse of the entire EC debit card
system in Switzerland in 2000 resulting from an error in one
computing centre. 2.2.3 Special characteristics of critical infrastructures
Networks within sectors
2.2.2 Socio-economic framework conditions Infrastructure services are provided over large areas via phys-
ical, virtual or logical networks. These networks are growing
Growing dependence in size and complexity. Intersections within these networks
Private industry and government agencies increasingly represent possible areas of vulnerability, where disruption
depend on external providers of goods and services. One can lead to regional, interregional, national or even global
such service, the supply of electricity, is extremely important. outages or failures. Information and communications tech-
Almost every single service depends directly or indirectly on nology and the supply of electricity, water and natural gas in
the reliable supply of electricity. particular rely on networks of this kind.
Subjective perceptions of risk Links between sectors (interdependence)
Government and private industry invest a great deal of Infrastructure systems are characterized by a high degree
money in security and count on this investment being effec- of interconnection. Thanks to the rapid spread of informa-
tive. However, the positive effects of security measures are tion technology, this development has gained momentum
often not measurable in objective terms. Instead, companies over the past 15 years. In addition to making supply pro-
or government authorities regard long periods without crises cesses more efficient, such interconnection also creates
as confirming the effectiveness of measures taken, which can interdependencies which in many cases can be measured
lead them to overlook potential threats and vulnerable areas. only in qualitative terms. Many physical, virtual and logical
dependencies are not apparent until a crisis occurs and the
And in practice, the risks identified are often those which connection breaks down. The high level of interdependence
appear to be manageable or controllable and part of an can lead to cascading shut-downs.8 At the same time, smaller
obvious chain of cause and effect.6 Other risks are ignored, and smaller disruptions are enough to cause dramatic conse-
consciously or unconsciously, and their possible impacts not quences in complex systems (vulnerability paradox).9
taken into account when implementing preventive measures.
Cf. International Risk Governance Council 2006, pp. 11–17.
Cf. Lewis 2006, p. 1. Cf. Lewis 2006, p. 57.
Dost 2006. Rosenthal 1992, p. 74 f.
Figure 1 “Interdependencies of selected critical infrastruc- 2.3 Legal requirements concerning risk and
tures” shows the interdependencies between selected critical crisis management
infrastructures. Here, only direct dependencies between indi-
vidual sectors or branches are initially taken into account. Public limited companies and limited liability companies
(GmbH) are currently subject to overarching legal require-
Changed technological framework conditions ments for controlling risk and crises. The financial sector
Technology, especially information technology, is developing also has regulations which are obligatory in practice, such
at a rapid pace. Often, new developments can be introduced as minimum requirements for risk management (MaRisk).
only in certain areas, leaving old components and procedures According to these regulations, the concept of enterprise
in place alongside new ones. New hard- and software that security includes protecting persons and material goods such
has been introduced without sufficient testing or with errors; as buildings and facilities, maintaining operations through
incompatible systems; inadequately planned migrations to any kind of disruption up to a crisis, whether a stock market
new hard- or software platforms; and staff not properly trained crisis, natural disaster or terrorist attack.
to use the new components can all lead to security gaps and
areas of weakness which could, under certain circumstances, The Trading (Control and Transparency) Act (KonTraG) adds to
cause the entire system to fail. the Stock Corporation Act the obligation to set up a monitor-
ing system for the purpose of enterprise risk management.
Types of damage The regulation refers only to public limited companies, but in
Critical infrastructures are subject to many different types of practice applies also to partnerships limited by shares (KGaA)
damage, from actual physical harm or damage to persons or and large limited liability companies (GmbH), in particular
property, to financial losses, psychic harm and anxiety, to the those with codetermined or optional supervisory boards.
public’s loss of faith in the political leadership.
Figure 1: Interdependencies of selected critical infrastructures
BASIC INFORMATION ABOUT CRITICAL INFRASTRUCTURES
Market risks are often dealt with in the context of the Trading Not only the Trading (Control and Transparency) Act, but also
(Control and Transparency) Act. By contrast, security risks10 the harmonized European insurance law Solvency II requires
and risks from events of nature are often underestimated, risk management for enterprises which takes into account all
although the Act covers all risks that could threaten an enter- risks which may confront insurers. By including possible risks
prise’s existence. Section 91 (2) of the Stock Corporation Act in the terms of insurance, the insurer can make the provision
(AktG), for example, obliges the management boards and of insurance protection conditional on preventive measures
auditors of annual accounts of public limited companies taken and thus implicitly on a system of risk management.
“to take appropriate measures, in particular to set up moni- Under Section 6 (1) of the Act on Insurance Contracts (VVG),
toring systems, in order to identify at an early juncture devel- failure to fulfil the terms of insurance leads to loss of cover.
opments which threaten the company’s existence.” However,
the law does not indicate any method to serve as a standard. In the same way, the Basel II Capital Accord, which is intend-
Thus the specific measures are left up to the individual enter- ed to minimize the effects of bank failures, explicitly requires
prises. The internal monitoring system should be designed that banks’ operational risks be taken into account along with
to identify threatening developments early enough so that market and credit risks. Even though Basel II only deals with
appropriate measures can be taken to safeguard the com- risks to financial institutions, it is possible that banks will in
pany’s existence. turn require enterprises to account for their risks, thereby
making lending conditional on risk management. If the sys-
Thus the company’s management has a legal obligation to tem of risk management sufficiently considers and accounts
implement an effective system of risk management. If it fails for all risks, this can result in more favourable lending terms,
to do so, the auditor may refuse to certify the company’s as it reduces the bank’s risk of failure.
annual accounts. The auditor is thus responsible for checking
whether the board has provided for appropriate risk man-
agement (Section 317 (4) Commercial Code). This includes
an assessment of threats, evaluations of any interruptions
of operations, implementation of systematic measures to
avoid such interruptions, and a regularly updated emergency
plan.11 Setting up a monitoring system is one of a board’s gen-
eral obligations under Section 76 (1) of the Stock Corporation
Act. In case of damage, the board can be held liable under
Section 93 (2) of the Act if the board has violated its duty to
take due care.
See: Federal Ministry of the Interior 2005.
Cf. Bockslaff 1999, p. 109.
3 Risk and
to protect critical infrastructures
The strategy for risk and crisis management presented in this
guide constitutes a systematic process and consists of five
phases representing the necessary scope of process-based risk
and crisis management in a private enterprise or a govern-
ment authority. The five phases are as follows: 1. preliminary
planning to establish a system of risk and crisis manage-
ment; 2. risk analysis; 3. specification of preventive measures;
4. implementation of a system of crisis management; and
5. regular evaluation of phases 1 through 4. The figure 2 “The
five phases of risk and crisis management” illustrates this
As described here, risk and crisis management is based on a
general “plan – do – check – act” (PDCA) management cycle.
This allows it to be incorporated into existing management
structures such as quality management, existing risk and cri-
sis management, or process management. The term “organi-
zation” refers here to private enterprises or government
authorities which operate critical infrastructures as defined
strategy and shows the process in the form of a chart.
Figure 2: The five phases of risk and Figure 3: The process of risk and crisis
crisis management12 management based on PDCA13
Cf. Australian/New Zealand Standard 2004, p. 13;
Trauboth 2002, p. 23.
Cf. Gesellschaft für Anlagen- und Reaktionssicherheit 2007, p. 21.
RISK AND CRISIS MANAGEMENT
TO PROTECT CRITICAL INFRASTRUCTURES
3.1 Phase 1: Preliminary planning 3.1.3 Resources
Thorough preliminary planning creates the necessary condi- The needs arising from establishing risk and crisis manage-
tions for successfully establishing risk and crisis management ment are estimated in advance. If necessary, an interdisciplin-
in a private enterprise or a government authority. ary task force made up of organization staff can be set up to
provide support to the project leader and take over individual
Before applying this guide, fundamental issues need to be tasks. It helps if these staff have a detailed understanding
clarified, in particular how the organization’s leadership of the organization’s structure. All the main divisions of the
establishes risk and crisis management; acceptance of the organization should be represented on the task force.
process; definition of responsibilities; availability of resources
and definition of strategic protection aims. If the necessary expertise in risk and crisis management is
lacking within the organization, staff may be given additional
training or outside specialists may be hired.
3.1.1 Establishing risk and crisis management
The resources needed to apply risk and crisis management
Creating or expanding a system of risk and crisis manage- within the organization will be identified during the course of
ment is initiated by the organization leadership, which the project.
also clarifies the goals it intends to pursue. The system is
implemented and applied at the working level, and staff are
involved in the process. 3.1.4 Clarifying legal obligations
Creating risk awareness throughout the entire organiza- Preliminary planning includes clarifying legal obligations to
tion by means of consistent and transparent risk policy must establish a system of risk and crisis management.
receive special attention, because the quality of risk manage-
ment depends on staff acceptance and motivation.
3.1.5 Strategic protection aims
3.1.2 Division of responsibilities When establishing risk and crisis management, strategic pro-
tection aims need to be formulated to define what the system
The process of establishing risk and crisis management of risk and crisis management is intended to achieve.
should be led by someone with expertise in this field, who is
also responsible for overseeing the substantive aspects of the Protection aims are heavily influenced by ethical, opera-
project. The project leader should consult with the head of tional, technical, financial, legal, social and environmental
the organization as needed. It is advisable to assign this task aspects.14 15 They display the following characteristics:
to the manager responsible for this area in the enterprise or
government authority. they describe the status quo,
they create room to implement various measures, and
The head of the organization is responsible for making basic they are specific, measurable, accepted, realistic and
decisions arising from the creation or expansion of risk and time-dependent (SMART).
crisis management. This applies in particular to approval of
financial and staff resources. Examples:
It is difficult to know ahead of time which tasks will need to be best possible protection of staff and
assigned in the course of implementing risk and crisis man- others on site (e. g. clients),
agement. These can be specified during implementation. maintenance of the organization’s functionality
even in extreme situations,
compliance with legal requirements,
prevention of major economic damage, and
prevention of possible damage to the
Examples: human life, social relevance of the product or service pro-
vided, size of the facility, financial resources, guidelines, regulations.
Australian/New Zealand Standard 2004, p. 15.
3.1.6 Risk communications 3.2 Phase 2: Risk analysis
In general, risk communications refer to “all communication A risk analysis structures and objectifies the information
processes related to identifying, analysing, assessing and gathered on threats and risks in private enterprises and gov-
managing risks and the necessary interactions between those ernment authorities. In this guide, risks refer to processes and
involved.” Risk communications provide the platform for their individual components. Risk analysis studies different
risk awareness and risk acceptance in private enterprises and processes and their components and compares their different
government authorities. Both aspects are essential for suc- risks for the organization. This comparison makes it possible
cessful risk management. In the present context, it is useful to to determine the urgency and priority of measures that can
distinguish between an organization’s internal and external have a significant influence on risk. In this way, risk analysis
risk communications. provides the basis for managing limited financial and person-
nel resources effectively and efficiently.
Internal risk communications refer to all communicative
interaction concerning risk within an organization: from As understood in this guide, risk analysis should answer the
establishing the system of risk management to evaluating it. following questions:
Risk communications should be given special attention dur-
ing the process of establishing a system of risk management. What kind of threats may arise?
It is crucial to discuss the subject and aims of risk manage- How likely are these threats to arise where the
ment at an early stage with those who will be responsible for organization is located?
it. Successful internal risk communications are the prerequi- Which areas would be vulnerable in case of threat?
site for successful external risk communication.
These questions show that the analysis of risks inherent in
External risk communications are not aimed merely at processes or their components addresses information about
informing and instructing the media and those affected; threats and about the vulnerability of processes and their
rather, they seek a dialogue tailored to a specific audience. components.
Here one must always remember to communicate risk-
related topics in such a way that no misunderstandings can This guide deals with operational processes, i.e. core and sup-
arise between sender and receiver. For example, empirical porting processes, which will not be treated separately in the
research has demonstrated differences in the way experts and following and thus are referred to as processes or sub-process-
ordinary persons perceive risk. In order to avoid unaccept- es; in this guide, sub-processes are understood as individual
able results, risk communications should always be timely, segments of processes.
unambiguous, audience-appropriate, consistent and reliable.
For risk communications to be effective, the audience must The risk analysis starts by dividing the organization into pro-
trust the source and find it credible.17 cesses and sub-processes. The organization itself decides the
degree to which sub-processes are further subdivided; for
example, if a control room is identified as part of a process, it
can be defined as a sub-process. It is also possible to divide the
control room itself into further sub-processes. The more lev-
els of sub-processes there are, the more effort a risk analysis
will require; however, it will also have greater informational
Jungermann et al., 1991, p. 5.
For more information on detailed planning of risk communication, For more information on processes and their representation,
see Wiedemann et al. 2000 and Gray et al. 2000. see Gesellschaft für Anlagen- und Reaktorsicherheit 2007.
RISK AND CRISIS MANAGEMENT
TO PROTECT CRITICAL INFRASTRUCTURES
Figure 4: Process, sub-processes, risk elements Facilities and equipment:
Facilities and equipment of sub-processes can be found in
all areas of an organization, particularly in the following:
• electricity supply,
• natural gas supply,
• district heating,
• water supply,
• information technology (IT),
• communications technology (CT) and
• transport (including vehicles and fuel supply).
Special, organization-specific facilities and equipment:
This includes all specialized facilities and equipment.19
Identifying the relevant organization-specific risk elements
Figure 4 “Process, sub-processes, risk elements” provides a is one of the most important prerequisites for a successful
schematic representation of a process, its sub-processes and risk analysis, since critical processes are often directly
their division into further sub-processes and their compo- dependent on organization-specific facilities and equipment.
Components of sub-processes are those elements that con-
tribute to the function of a process. These elements are called
“risk elements” in this guide. They are individual physical or Data and files:
virtual elements which may be harmed or damaged, with an These include all information kept in electronic and paper
impact on the sub-process in question. This guide covers the form needed to maintain sub-processes in the organiza-
following risk elements: tion.
People (staff and others on the premises): Other resources:
It is essential to protect everyone on the premises suf- As referred to in this guide, this covers all other means of
ficiently against threats or to take them to safety in case production not already mentioned.
of imminent threat. To do so, all organizations must take
precautions to provide the best possible protection for
those on site, especially before police, fire and emergency 3.2.1 Criticality analysis
service personnel arrive in the event of an emergency and
after they leave. A criticality analysis allows an organization to identify which
processes out of all those listed would have far-reaching
Staff, in particular specialized staff, are risk elements in consequences for the organization if disrupted. Appropriate
the sense of retaining functionality of sub-processes. measures must be taken to protect such critical processes
sufficiently. The identification of risks and, above all, the
Grounds: preventive measures chosen to reduce risk should initially
This includes all outdoor areas, including roads, storage concentrate on risk elements of the sub-processes of critical
and parking areas, green spaces and areas essential to processes.
These include all structures above and below ground, such
as production halls, warehouses and administrative build-
ings as well as parking garages.
Examples: Control components, software, medical equipment, spe-
cial heating and ventilation systems, secure entry systems, storage
The following criteria may be used to identify critical 3.2.2 Risk identification
An organization’s risks are determined by the threats arising
Life and health: at its location(s) which may impact on its risk elements and
If the process is disrupted, what will be the impacts on by the vulnerability of these risk elements. Combining the
human life and health? relevant information on threats and vulnerability results in
identifying the risk to the risk elements in question and, when
Time frame: aggregated, to the sub-processes in question. In this guide,
If the process is disrupted, how long will it take to have an risks to the risk elements are called sub-risks; aggregated risks
impact on the organization’s overall product/service? The to the sub-processes are called overall risks. The aspects of risk
shorter the time, the more critical the process. identification are described in detail in the following sections.
Magnitude: 188.8.131.52 Threat analysis and scenario development
How much of the overall product/service will be affected if Recognizing and documenting all relevant threats is crucial
this process is interrupted or completely stopped? to a successful risk analysis. The first step in analysing threats
and developing scenarios should therefore be drawing up a list
Contractual, regulatory or legal relevance: of threats that may arise at the organization’s location(s). This
If the process is disrupted, what contractual, regulatory or comprehensive list should describe the general nature of these
legal consequences will this have for the organization? threats, their intensity, duration and possible effects.21
Economic damage: On the basis of a site-specific list of threats, it is possible to
If the process is disrupted, what is the estimated financial develop scenarios containing additional information needed
damage to the organization? for risk analysis and crisis management. These scenarios
should represent realistic incidents that could result in crises.
The organization should decide which criteria to use, how The staff member in charge of risk and crisis management
many criteria should apply at once and what classification should determine the number of scenarios to be included in
to use within the criteria. the risk analysis. The aim is to cover all possible threats.
The criticality analysis results in identifying all critical pro- The following additional information is gathered for each
cesses in an organization and portraying the sub-processes scenario:
at work in them as well as their risk elements.
Which sub-processes and risk elements could be affected?
Whether a process, sub-process or risk element is affected
depends on its exposure. Both large-scale exposure and
local effects may lead to shutdowns, depending on whether
sub-processes and risk elements are affected and to what
The Business Continuity Institute 2005, p. 26.
Annex III provides an overview of possible threats and their char-
acteristics as well as further points of contact for analysing these
threats. The list of threats in the Annex is limited to natural disasters,
technical failure, human error, wilful acts and war. It is not meant to
be exhaustive; practitioners should add further types of threats as
relevant. In particular, this guide does not cover threats which arise
gradually and can lead to financial, market or strategic risks.
RISK AND CRISIS MANAGEMENT
TO PROTECT CRITICAL INFRASTRUCTURES
Anticipated intensity: The selected scenarios should be checked, updated and
How strong will the threat impact be on a sub-process added to on a regular basis. Further relevant scenarios can be
and its risk elements? added as needed in order to identify all possible risks to the
How long could the incident last? 184.108.40.206 Vulnerability analysis
Along with possible threats, the vulnerability of sub-processes
Advance warning: and risk elements is decisive in determining how the organi-
How much time can be expected between the advance zation is affected and what damage occurs. The more vul-
warning and the incident? nerable individual sub-processes and risk elements are, the
greater the impact of threats on the organization’s product
Secondary effects: or services.
What effects will arise from process dependencies?
What psychological effects could the incident produce? A catalogue of criteria is used to identify the vulnerability of
What kind of public or media impact could the incident sub-processes and individual risk elements. Using the cata-
have? logue of criteria, the vulnerability of each risk element in a
sub-process is estimated. This can also be done using a clas-
Reference incidents: sification system.23
Which comparable incidents could be examined for
further information? Organizations can use the following list of criteria to create or
add to their own catalogue of criteria.
Likelihood of occurrence:
What chance of the incident occurring can be estimated Dependence on risk elements:
or identified? If a sub-process depends on a risk element in order to
perform its tasks, the potential unavailability or alteration
Often, the likelihood of a scenario with a pre-determined of this risk element makes the sub-process vulnerable. In
intensity, geographical scale and duration, advance warning the risk analysis, this criterion can be viewed as a way to
and secondary effects can only be estimated. For example, weight the importance of the risk element for the sub-
historical records useful for calculating the probability of an process.24
incident have been kept only for certain natural events or fail-
ures of man-made structures. When developing scenarios, it Dependence on external infrastructures:
is advisable to estimate the probability of occurrence using a If a risk element depends on an external infrastructure in
classification system.22 order to perform its tasks, the potential unavailability or
alteration of this infrastructure makes the risk element
IMPORTANT NOTE – DEPENDENCIES AND
SCOPE OF SCENARIO:
Extreme incidents typically have a broad range of impacts.
For example, a power failure may affect the water supply or
interfere with suppliers’ operations.
When developing scenarios, one should be careful to view The example of risk analysis in Annex V uses a five-step classification
each scenario in isolation, such as scenario 1: Failure of exter- for the probability of possible scenarios.
nal power supply, scenario 2: Failure of external water sup- The example of risk analysis in Annex V uses a six-step scale of
ply. Otherwise, the risk analysis will be based on a few very vulnerability (including 0 for not relevant).
complex scenarios with too many impacts to keep track of. In the example of risk analysis in the Annex, this criterion is used as
a weighting factor. It is calculated as an individual factor in the risk
But marginal effects arising from dependencies should be identification process. Estimates of the remaining vulnerability crite-
incorporated into the scenarios. This applies in particular to ria are added together and therefore treated as a collective factor in
effects which magnify the impacts. the risk identification process.
Dependence on internal infrastructures: 220.127.116.11 Risk calculation
If a risk element depends on an internal infrastructure in Within the risk analysis, calculated values, estimates or
order to perform its tasks, the potential unavailability of results of the scenarios and vulnerability analysis are linked
this infrastructure makes the risk element vulnerable. to risk values or results. Risk values are linked by means of a
function. In this guide, sub-risks to risk elements are under-
Robustness: stood as a function of the probability that the scenario in
The physical robustness of risk elements (in particular question will occur and of the vulnerability of the risk ele-
facilities, equipment, buildings) is an important factor for ment. The overall risk to a sub-process is then the aggregate
whether they will be damaged by an extreme incident, of sub-risks to the risk elements in the sub-process.
with effects for the relevant sub-processes.
In principle, risks can be calculated in three different ways: 25
Actual level of protection:
A risk element not sufficiently protected against a threat Qualitative risk calculation: This method delivers rough
is vulnerable should this threat arise (example: (non-)exis- estimates of described risks in text form, without produc-
tent building security measures). ing numerical comparability.
Redundancy, substitutes: Semi-quantitative risk calculation: This method uses a
If something should happen to a risk element in an organi- classification system to estimate values for individual risk
zation, it is easier to handle the situation if there are back- factors so that they can be compared in numerical form.
ups or substitutes to perform the same tasks. Redundancy
of risk elements or substitutes reduce the vulnerability of Quantitative risk calculation: This method calculates risk
the sub-process in question. factors mathematically, for example by using time-series
analyses in the case of probability of occurrence, or by
Restoration effort: using simulation models to identify the impacts on an
Restoration effort refers to the effort needed to restore a organization.
damaged risk element. With regard to the vulnerability of
a sub-process, this covers not only monetary costs, but also The choice of method depends on how much effort can and
the time and staff resources needed. should be expended, and on what information is available.26
Adaptability: 18.104.22.168 Comparing and evaluating risks
A sub-process is vulnerable if its risk elements cannot The risk values or described risks calculated in this way can
adapt easily or at all to changing framework conditions now be compared with each other. Such comparison is espe-
(example: in the case of hot weather leading the tem- cially useful in the case of qualitative and semi-quantitative
perature of river water to rise, this could be water-cooled analyses, because the resulting values and descriptions are
equipment). not absolute quantities. But the results of qualitative and
semi-quantitative analyses can be very valuable in relation to
Buffer capacity: each other, i.e. in internal comparison.
Buffer capacity means that the sub-process can tolerate
the effects of an incident to a certain degree and for a cer- The aim of such comparison is to identify those risk elements
tain time without being affected. and sub-processes which face the highest risks.
Transparency means that it is easy to understand how a
risk element is put together and how it functions, so that it
can be repaired quickly in case of crisis, for example.
Dependence on specific environmental conditions:
Organizations perform under the environmental condi-
tions prevailing at their location. If the organization
depends on specific environmental conditions, then it is Cf. Australian/New Zealand Standard 2004, pp. 18–19.
vulnerable to potential changes in these conditions. Annex V gives an example describing how to carry out a risk analysis
using semi-quantitative calculation of sub-risks to risk elements and
of overall risks to sub-processes. For another method of risk analysis
specifically for the field of information technology, see: Bundesamt
für Sicherheit in der Informationstechnik (BSI) 2005.
RISK AND CRISIS MANAGEMENT
TO PROTECT CRITICAL INFRASTRUCTURES
The risk evaluation should indicate whether the protection 3.3.1 Risk reduction
aims initially defined can be achieved given the existing risks.
If there are too many high sub-risks, operational protection Risk-reduction measures reduce either the vulnerability
aims should be formulated to serve as the starting point for of risk elements to threats or directly address the business
taking preventive measures. Examples of operational protec- continuity of critical processes by creating redundancies or
tion aims are substitutes. Redundant systems or substitutes enable critical
processes to continue operating under recovery manage-
reducing the overall risk to sub-process X, and ment even if risk elements have been affected. 28
reducing the highest sub-risks for all sub-processes which
are part of critical processes.
3.3.2 Risk avoidance
The highest priority should be to take measures for the sub-
processes displaying the greatest sub-risks. Risks can be avoided, either by avoiding regions where
threats exist or by taking measures to ensure that threats
It is ultimately the task of the organization’s decision-makers do not arise.
to choose the appropriate operational protection aims and
measures. It is often possible to identify areas exposed to natural threats
or high-risk facilities (e. g. transport routes for hazardous
cargo). Such areas can be avoided when planning new sites or
3.3 Phase 3: the construction of new buildings or facilities.
Preventive measures and strategies
However, it is impossible to avoid all risks, as no location is
Preventive measures help reduce risks to critical processes. entirely risk-free.
They help achieve operational protection aims and thus raise
the threshold for potential crises in the organization (see also
Figure 5). This can reduce the number and/or intensity of cri-
Preventive measures should be subject to a cost-benefit analy- Figure 5: Incident intensity and crisis threshold
sis aimed at reducing the overall risk. This is done by compar-
ing potential expenditures and the direct and indirect costs
resulting to the organization from an extreme incident. Com-
bining the results of a risk analysis with those of a cost-benefit
analysis leads to the selection of measures which are especial-
ly efficient within the framework of the existing budget.27
However, measures to reduce risks that are unlikely to occur
but would have dramatic impacts if they did are often impos-
sible to justify on the basis of risk and cost-benefit analysis
alone. In such cases, it may help to consider societal and ethi-
cal aspects as well as the legal framework conditions when
deciding on protective measures.
Preventive strategies take advantage of the tools of risk avoid-
ance, risk shifting and risk acceptance. They should only be
used in tandem with risk-reduction measures, because they
may severely limit the organization's flexibility (risk avoid-
ance), or they may not help reduce physical risks (risk shift-
ing, risk acceptance).
Cf. Australian/New Zealand Standard 2004, pp. 21–22.
Annex IV.1 contains an extensive checklist for implementing
3.3.3 Risk shifting 3.4 Phase 4: Crisis management
Risk shifting transfers risks to other enterprises or contract In this guide, a crisis is defined as a deviation from the normal
partners in order to reduce the financial impact on one's own situation which cannot be handled using normal operating
organization in case of damage. Risk-shifting instruments procedures. Crises in critical infrastructure organizations can
include the following: have serious consequences for the functioning of enterprises
and government authorities and thus result in harm to the
shifting risk to insurers, and public or to disruption of the political, social or economic sys-
shifting risk to suppliers or clients. tem. The Trading (Control and Transparency) Act (KonTraG)
uses the term “threat to existence”, which is very useful for
defining crises.30 A crisis should be clearly distinguished from
less serious incidents, referred to in this guide as disruptions
IMPORTANT NOTE: (see Figure 5, page 21).
Shifting risk does not reduce physical risks to persons or
goods. It only affects the financial consequences to the Crises may originate within the organization itself, for exam-
organization of any damage sustained. ple financial crises as the result of mismanagement or fraud
(see Figure 6). External triggers for crises include stock market
crashes, negative media coverage or supply difficulties. Other
major triggers for crises in critical infrastructures include
natural disasters, technical failure, human error, wilful acts of
3.3.4 Acceptance of risks (residual risks) a terrorist or criminal nature, and armed conflicts.
Preventive measures and strategies pursued by the organiza- Crisis management plays a major role in protecting organiza-
tion raise the overall security level. Yet certain risks cannot tions and thus critical infrastructures and the public. Crisis
be overcome entirely. The remaining residual risks should management cannot be separated from risk management.
be documented and the organization’s willingness to accept Conceptual, organizational, procedural and physical prepara-
them should be recorded in writing. tion for crises is based in part on the results of risk manage-
ment. The nature and extent of residual risks identified by risk
Residual risks can lead to crises which typically overwhelm management can, in some cases, influence the type of prepa-
normal operations. A system of crisis management is needed ration carried out as part of crisis management. Because risk-
to enable the organization to deal with such situations effec- reduction measures cannot reduce all risks and some residual
tively. risk always remains, crisis management deals with crises that
prevention alone cannot avert.
3.3.5 Property insurers’ experience with damages The aim of crisis management for critical infrastructure
organizations is to deal with a crisis while
Property insurers naturally have a special interest in protect-
ing against property damage and in reducing the impact of maintaining the greatest possible ability to function,
damage incidents on business continuity. and/or
recovering critical functions as quickly as possible.
Conclusions drawn from various damage incidents are col-
lected in numerous publications (manuals, guidelines and
fact sheets) of the German Insurance Association (GDV).29
These can serve as additional information sources to optimize
the protection of individual organizations and facilities,
thereby helping to protect critical infrastructures.
Cf. VdS-Richtlinien 2007, for example.
Cf. Trauboth 2002, p. 14 f.
RISK AND CRISIS MANAGEMENT
TO PROTECT CRITICAL INFRASTRUCTURES
Figure 6: Internal and external crisis triggers
Successful crisis management is embedded within other The most important tasks of crisis management are:
management strategies, such as risk management described
above. Crisis management involves preparing and activating creating the conceptual, organizational and procedural
measures to keep the organization functioning and to ensure conditions needed to deal with an extreme incident as
business continuity and a return to normal operations. Evalu- effectively as possible, and
ating the crisis management system during and after an inci-
dent makes it possible to improve and refine the system. Crisis establishing special structures to respond in case of crisis,
management can thus be understood as a PDCA cycle within in particular setting up a crisis task force.
risk management. The crisis management process is shown
in Figure 7.
Figure 7: The crisis management process31
Annex IV.2 contains detailed checklists to help prepare for crises.
The most important features of crisis management are the A crisis management plan covers the following points and
following: indicates who is responsible for them :
Crisis management is a process which includes planning, Purpose, aim and scope of the crisis management plan
implementation and evaluating a plan and the resulting
action in order to respond effectively and efficiently to a Legal foundations
Development of a special crisis organization
As a rule, measures are taken using the limited resources • crisis task force
and information available. • definition of tasks, areas of responsibility and compe-
tences, including the job titles responsible34
External support or resources may be needed. • specific crisis management responsibilities and activities
Decisions have to be made quickly and on the basis of Development of special procedures to deal with crises,
incomplete information. return to normal operations and post-crisis follow-up
• chain of command and alert
• models of escalation and de-escalation
3.4.1 The structure of crisis management • contact information for contacts within and outside the
The basic elements of crisis management are a special struc- • incident-specific measures for recovery and return to
ture to take action in case of crisis and scenario-based plans normal operations
to ensure business continuity. All preliminary planning • information on post-crisis follow-up
necessary and possible for this purpose is compiled in a crisis
management plan. Development of scenario-based plan components,
22.214.171.124 The crisis management plan • evacuation
The crisis management plan lists all crisis-relevant structures • power failure
and planned measures to be carried out by organization staff • pandemic
responsible for crisis management and business continuity. • IT and/or CT failure
A good crisis management plan is short and precise. Crisis
checklists32 make it easier to ensure that all the necessary The crisis management plan must be updated and practice
measures are carried out and no important tasks are forgotten. drills conducted regularly.
A crisis management plan should always be drawn up,
even if many preventive measures have already been
For an example of a crisis management plan or emergency
handbook in the IT field, see: Bundesamt für Sicherheit in der
Informationstechnik (BSI) 2008.
Annex IV.2 contains detailed checklists to help prepare for crises. Jungbluth 2005, p. 15.
RISK AND CRISIS MANAGEMENT
TO PROTECT CRITICAL INFRASTRUCTURES
126.96.36.199 Special crisis structures This model originated in a military context; it describes the
Crisis situations require special structures. A crisis task force form and functions of a command staff and is directed at
has the goal of dealing with crises as quickly and competently all organizations whose activities are primarily operational-
as possible. The structure of the crisis task force depends on tactical.
the type and needs of the critical infrastructure organization.
In the field of disaster preparedness on public administration
188.8.131.52.1 Crisis task force level, a management task force acts alongside the opera-
The crisis task force is the central instrument of crisis response. tional-tactical command staff to handle administrative and
It is a special structure that overrides the normal operating organizational tasks. The management task force supports
procedures in order to deal with special situations in the affect- the operational-tactical components and carries out primari-
ed units; in it, competences from different departments are ly administrative tasks. In case of crisis, the management task
brought together under a single leadership. A crisis task force force may also act on its own if no operational components
is a decision-making tool which also performs coordinating, are deployed.
informing, advising and support functions. The crisis task force
is made up of a leader35 and the task force team. Within the cri- The form and functions of a task force in private enterprises
sis task force team, one may distinguish between and government authorities outside the field of threat pre-
vention and disaster preparedness depend on the organiza-
the core team, made up of the leader and up to three team tion’s needs in the event of a crisis. In some enterprises, it
members with key functions, may make sense to organize the task force along the lines of a
the extended team, made up of persons with designated command staff or management task force, for example if the
special functions or supporting groups,36 and enterprise performs similar tasks or when close collaboration
specialists to advise the task force. with disaster preparedness staff is needed. Other enterprises
and government authorities may choose other ways to struc-
All appointed and trained task force members and their ture their task forces. The important thing is to ensure that
deputies must be familiar with their specific tasks and ready the critical infrastructure operator is able to communicate
to carry them out. When choosing deputies, it is also impor- with the threat prevention authority/disaster preparedness
tant to remember those scenarios in which high rates of organizations. Here, an intensive staff exchange between task
absenteeism may affect the task force (e. g. major epidemics forces is helpful and should be an explicit requirement for
or pandemics).37 In order to deal with such situations, several management task forces.
deputies should be designated.
The following functions/tasks should be covered by every task
Before a crisis occurs, special work-time arrangements (shift force, no matter what the organization’s tasks are40:
system) should be made specifically for the task force in case
of crisis; these should also include some overlapping time in managing all personnel-related aspects,
which the earlier shift can update the shift coming on duty of gathering and regularly updating information on
the latest developments. Crises are periods of high stress, so the situation,
shifts should not exceed six to seven hours. delegating tasks to resolve the crisis and coordinating the
necessary operations carried out by organization staff,
A model for crisis task forces has been established in the field handling media and public relations,
of threat prevention and disaster preparedness; this model is managing all aspects of information and communica-
described in detail in the Fire Brigade Regulation 100.38 tions, and
providing for the needs of crisis management staff.
The crisis task force may be headed by the same person who heads
the enterprise or government agency. However, this is not advisable,
as having different people for these tasks gives the decision-making
level more leeway to make important and independent decisions.
Cf. Trauboth 2002, p. 45.
Measures to protect staff, in particular the crisis task force include
ensuring adequate hygiene, providing protective masks and set-
ting up the capacity to work from home. For more information, see One possible alternative for IT-related organizations is described in
Bundesamt für Bevölkerungsschutz und Katastrophenhilfe 2007, BSI-Standard 100-4. See Federal Office for Security in Information
Robert Koch Institut 2005 and 2007a and Annex IV.2. Technology (BSI) 2008.
Feuerwehr-Dienstvorschrift 1999. Revised in line with Feuerwehr-Dienstvorschrift 1999.